<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Bugzilla</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REL="HOME"
TITLE="The Bugzilla Guide - 3.6.4 
    Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Security"
HREF="security.html"><LINK
REL="PREVIOUS"
TITLE="Web server"
HREF="security-webserver.html"><LINK
REL="NEXT"
TITLE="Using Bugzilla"
HREF="using.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Bugzilla Guide - 3.6.4 
    Release</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="security-webserver.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 4. Bugzilla Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="using.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="security-bugzilla"
>4.3. Bugzilla</A
></H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-bugzilla-charset"
>4.3.1. Prevent users injecting malicious Javascript</A
></H2
><P
>If you installed Bugzilla version 2.22 or later from scratch,
      then the <EM
>utf8</EM
> parameter is switched on by default.
      This makes Bugzilla explicitly set the character encoding, following
      <A
HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"
TARGET="_top"
>a
      CERT advisory</A
> recommending exactly this.
      The following therefore does not apply to you; just keep
      <EM
>utf8</EM
> turned on.
      </P
><P
>If you've upgraded from an older version, then it may be possible
      for a Bugzilla user to take advantage of character set encoding
      ambiguities to inject HTML into Bugzilla comments.
      This could include malicious scripts. 
      This is because due to internationalization concerns, we are unable to
      turn the <EM
>utf8</EM
> parameter on by default for upgraded
      installations.
      Turning it on manually will prevent this problem.
      </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="security-webserver.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="using.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Web server</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Using Bugzilla</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>